Skip to content

Commit

Permalink
MLPAB-10 - Create a PR workflow (#1)
Browse files Browse the repository at this point in the history 
* initialise account level terraform

* add pre-commit config

* add gitignore

* add PR template

* manage terraform and provider versions

* initialise terraform account level Terraform

* add PR workflow

* add codeowners for PR approvals

* add job for tagging images and workspaces

* add readme for account and environment level Terraform

* initialise environment level terraform

* run environment jobs on pr workflow

* Add further hooks to repo, prefering versioned hooks rather than moving branches

* create a path to live for terraform account and envionrment

* create a table in dev to track dev environments

Co-authored-by: Alex Saunders <[email protected]>
  • Loading branch information
@andrewpearce-digital @acsauk
andrewpearce-digital and acsauk authored Aug 1, 2022
1 parent afd29af commit c46ff4b
Show file tree
Hide file tree
Showing 24 changed files with 899 additions and 0 deletions.
57 changes: 57 additions & 0 deletions .github/workflows/tags_job.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
on:
workflow_call:
outputs:
version_tag:
description: "Docker Image Tag"
value: ${{ jobs.create_tags.outputs.docker_tag }}
environment_workspace_name:
description: "Terraform Environment Workspace Name"
value: ${{ jobs.generate_environment_workspace_name.outputs.environment_workspace_name }}

jobs:
create_tags:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Extract branch name
id: extract_branch
run: |
if [ "$GITHUB_EVENT_NAME" == "push" ]; then
echo BRANCH_NAME=main >> $GITHUB_ENV
else
branch=${{ github.head_ref }}
branch=${branch//-}
branch=${branch//_}
branch=${branch//\/}
echo BRANCH_NAME=${branch} >> $GITHUB_ENV
fi
- name: Bump version
id: bump_version
uses: anothrNick/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
INITIAL_VERSION: 0.0.0
DEFAULT_BUMP: minor
PRERELEASE_SUFFIX: ${{ env.BRANCH_NAME }}
RELEASE_BRANCHES: main
WITH_V: true
outputs:
docker_tag: ${{ steps.bump_version.outputs.tag }}

generate_environment_workspace_name:
if: github.ref != 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Generate workspace name
id: name_workspace
run: |
workspace=${{ github.event.number }}${{ github.head_ref }}
workspace=${workspace//-}
workspace=${workspace//_}
workspace=${workspace//\/}
workspace=${workspace:0:11}
workspace=$(echo ${workspace} | tr '[:upper:]' '[:lower:]')
echo ::set-output name=name::${workspace}
echo ${workspace}
outputs:
environment_workspace_name: ${{ steps.name_workspace.outputs.name }}
62 changes: 62 additions & 0 deletions .github/workflows/terraform_account_job.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
on:
workflow_call:
inputs:
workspace_name:
description: 'The terraform workspace to target for account actions'
required: true
type: string
jobs:
terraform_account_workflow:
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.bump_version.outputs.tag }}
steps:
- uses: actions/checkout@v2
with:
fetch-depth: '0'
- name: Extract branch name
run: |
if [ "${{ github.head_ref }}" == "" ]; then
echo BRANCH_NAME=main >> $GITHUB_ENV
else
echo BRANCH_NAME=${{ github.head_ref }} >> $GITHUB_ENV
fi
id: extract_branch
- uses: unfor19/install-aws-cli-action@v1
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.2.6
- name: Configure AWS Credentials For Terraform
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
aws-region: eu-west-1
role-duration-seconds: 3600
role-session-name: OPGModernisingLPATerraformGithubAction

- name: Lint Terraform
id: tf_lint
run: terraform fmt -check -recursive
working-directory: ./terraform/account
continue-on-error: true

- name: Terraform Init
run: terraform init -input=false
working-directory: ./terraform/account

- name: Terraform Plan
env:
TF_WORKSPACE: ${{ inputs.workspace_name }}
run: |
terraform workspace show
terraform plan -input=false -parallelism=30
working-directory: ./terraform/account

- name: Terraform Apply
env:
TF_WORKSPACE: ${{ inputs.workspace_name }}
if: github.ref == 'refs/heads/main'
run: |
terraform apply -lock-timeout=300s -input=false -auto-approve -parallelism=30
working-directory: ./terraform/account
101 changes: 101 additions & 0 deletions .github/workflows/terraform_environment_job.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
on:
workflow_call:
inputs:
workspace_name:
description: 'The terraform workspace to target for environment actions'
required: true
type: string
version_tag:
description: 'The docker image tag to deploy in the environment'
required: true
type: string
outputs:
terraform_workspace_name:
description: "Name of Terraform workspace"
value: ${{ jobs.terraform_environment_workflow.outputs.terraform_workspace_name }}
terraform_container_version:
description: "Container version deployed by Terraform"
value: ${{ jobs.terraform_environment_workflow.outputs.terraform_container_version }}
jobs:
terraform_environment_workflow:
runs-on: ubuntu-latest
outputs:
terraform_workspace_name: ${{ steps.terraform_outputs.outputs.workspace_name }}
terraform_container_version: ${{ steps.terraform_outputs.outputs.container_version }}
steps:
- uses: actions/checkout@v2
with:
fetch-depth: '0'
- name: Extract branch name
run: |
if [ "${{ github.head_ref }}" == "" ]; then
echo BRANCH_NAME=main >> $GITHUB_ENV
else
echo BRANCH_NAME=${{ github.head_ref }} >> $GITHUB_ENV
fi
id: extract_branch
- uses: unfor19/install-aws-cli-action@v1
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.2.2
terraform_wrapper: false
- name: Configure AWS Credentials For Terraform
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
aws-region: eu-west-1
role-duration-seconds: 3600
role-session-name: OPGMaintenanceTerraformGithubAction
# - uses: webfactory/[email protected]
# with:
# ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY_ALLOW_LIST_REPOSITORY }}

- name: Lint Terraform
id: tf_lint
run: terraform fmt -check -recursive
working-directory: ./terraform/environment
continue-on-error: true

- name: Terraform Init
run: terraform init -input=false
working-directory: ./terraform/environment

- name: Terraform Plan
env:
TF_WORKSPACE: ${{ inputs.workspace_name }}
TF_VAR_container_version: ${{ inputs.version_tag }}
run: |
terraform workspace show
terraform plan -input=false -parallelism=30
working-directory: ./terraform/environment

# - name: Protect environment workspace
# if: github.ref != 'refs/heads/main'
# env:
# TF_WORKSPACE: ${{ inputs.workspace_name }}
# TF_VAR_container_version: ${{ inputs.version_tag }}
# run: |
# wget https://github.com/TomTucka/terraform-workspace-manager/releases/download/v0.3.1/terraform-workspace-manager_Linux_x86_64.tar.gz -O $HOME/terraform-workspace-manager.tar.gz
# sudo tar -xvf $HOME/terraform-workspace-manager.tar.gz -C /usr/local/bin
# sudo chmod +x /usr/local/bin/terraform-workspace-manager
# terraform-workspace-manager -register-workspace=$TF_WORKSPACE -time-to-protect=24 -aws-account-id=679638075911 -aws-iam-role=opg-maintenance-ci
# working-directory: ./terraform/environment

- name: Terraform Apply
env:
TF_WORKSPACE: ${{ inputs.workspace_name }}
TF_VAR_container_version: ${{ inputs.version_tag }}
run: |
terraform apply -lock-timeout=300s -input=false -auto-approve -parallelism=30
working-directory: ./terraform/environment

- name: Terraform Outputs
id: terraform_outputs
env:
TF_WORKSPACE: ${{ inputs.workspace_name }}
TF_VAR_container_version: ${{ inputs.version_tag }}
run: |
echo ::set-output name=workspace_name::$(terraform output -raw workspace_name)
echo ::set-output name=container_version::$(terraform output -raw container_version)
working-directory: ./terraform/environment
91 changes: 91 additions & 0 deletions .github/workflows/workflow_path_to_live.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
name: "[Workflow] Path To Live"

on:
push:
branches:
- main

permissions:
contents: write
security-events: write
pull-requests: read
actions: none
checks: none
deployments: none
issues: none
packages: none
repository-projects: none
statuses: none

defaults:
run:
shell: bash

jobs:
create_tags:
name: Create Tags
uses: ./.github/workflows/tags_job.yml

terraform_account_workflow_development:
name: TF Apply Dev Account
uses: ./.github/workflows/terraform_account_job.yml
with:
workspace_name: development
secrets: inherit

terraform_account_workflow_preproduction:
name: TF Apply Preprod Account
needs: terraform_account_workflow_development
uses: ./.github/workflows/terraform_account_job.yml
with:
workspace_name: preproduction
secrets: inherit

preproduction_deploy:
name: Preproduction Deploy
needs: [create_tags, terraform_account_workflow_preproduction]
uses: ./.github/workflows/terraform_environment_job.yml
with:
workspace_name: preproduction
version_tag: ${{ needs.create_tags.outputs.version_tag }}
secrets: inherit

preproduction_deploy_complete:
name: Preproduction Deployment
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: preproduction
needs: [preproduction_deploy]
steps:
- name: Complete
run: |
echo "preproduction environment tested, built and deployed"
terraform_account_workflow_production:
name: TF Apply Prod Account
needs: [preproduction_deploy_complete]
uses: ./.github/workflows/terraform_account_job.yml
with:
workspace_name: production
secrets: inherit

production_deploy:
name: Production Deploy
needs: [create_tags, terraform_account_workflow_production]
uses: ./.github/workflows/terraform_environment_job.yml
with:
workspace_name: production
version_tag: ${{ needs.create_tags.outputs.version_tag }}
secrets: inherit


end_of_main_workflow:
name: End of Main Workflow
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: production
needs: [production_deploy]
steps:
- name: End of Path to Live Workflow
run: |
echo "production environment tested, built and deployed"
72 changes: 72 additions & 0 deletions .github/workflows/workflow_pr.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: "[Workflow] PR"

on:
pull_request:
branches:
- main

permissions:
contents: write
security-events: write
pull-requests: read
actions: none
checks: none
deployments: none
issues: none
packages: none
repository-projects: none
statuses: none

defaults:
run:
shell: bash

jobs:
create_tags:
name: Create Tags
uses: ./.github/workflows/tags_job.yml

terraform_account_workflow_development:
name: TF Plan Dev Account
uses: ./.github/workflows/terraform_account_job.yml
with:
workspace_name: development
secrets: inherit

terraform_account_workflow_preproduction:
name: TF Plan Preprod Account
needs: terraform_account_workflow_development
uses: ./.github/workflows/terraform_account_job.yml
with:
workspace_name: preproduction
secrets: inherit

terraform_account_workflow_production:
name: TF Plan Prod Account
needs: terraform_account_workflow_development
uses: ./.github/workflows/terraform_account_job.yml
with:
workspace_name: production
secrets: inherit

pr_deploy:
name: PR Environment Deploy
needs: [create_tags]
uses: ./.github/workflows/terraform_environment_job.yml
with:
workspace_name: ${{ needs.create_tags.outputs.environment_workspace_name }}
version_tag: ${{ needs.create_tags.outputs.version_tag }}
secrets: inherit

end_of_pr_workflow:
name: End of PR Workflow
if: github.ref != 'refs/heads/main'
runs-on: ubuntu-latest
environment:
name: ${{ needs.create_tags.outputs.environment_workspace_name }}
needs: [pr_deploy, create_tags]
steps:
- name: End of PR Workflow
run: |
echo "${{ needs.pr_deploy.outputs.terraform_workspace_name }} PR environment tested, built and deployed"
echo "Tag Deployed: ${{ needs.pr_deploy.outputs.terraform_container_version }}"
Loading

0 comments on commit c46ff4b

Please sign in to comment.